Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Font Library REST API: sanitize font family and font face settings #58590

Merged
merged 9 commits into from
Feb 5, 2024
Merged

Font Library REST API: sanitize font family and font face settings #58590

merged 9 commits into from
Feb 5, 2024

Conversation

creativecoder
Copy link
Contributor

@creativecoder creativecoder commented Feb 2, 2024
edited
Loading

What?

Ensures font family and font face settings are sanitized when creating or updating through the REST API endpoints.

Addresses part of #58464

Why?

  • Clean and normalize font family and font face settings data.
  • To mitigate possible XSS attacks.

How?

  • Uses the sanitize_callback param for each setting in the schema, and manually calls the callback for each property because the settings are submitted as JSON string and aren't handled by normal REST API mechanisms.
  • Updates WP_Font_Utils::format_font_family to WP_Font_Utils::santize_font_family and calls sanitize_text_field on the font family value so it is sanitized in addition to being formatted.
  • Manually removes arg_options from the public schema of font family and font face controllers, because the parent controller doesn't handle that for child properties.
  • Add phpunit tests for the above.

Testing Instructions

  • See updated unit tests.
  • Try creating a font family or font face with tags, whitespace, or line breaks in the settings values and see that they are sanitized before being created.
  • Check that installing from the Google Fonts collection works as expected.

@creativecoder creativecoder added [Status] In Progress Tracking issues with work in progress [Type] Security Related to security concerns or efforts [Feature] Font Library labels Feb 2, 2024
@creativecoder creativecoder self-assigned this Feb 2, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 2, 2024
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core SVN

If you're a Core Committer, use this list when committing to wordpress-develop in SVN:

Props: grantmkin, youknowriad.

GitHub Merge commits

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: creativecoder <grantmkin@git.wordpress.org>
Co-authored-by: youknowriad <youknowriad@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 2, 2024
edited
Loading

This pull request has changed or added PHP files. Please confirm whether these changes need to be synced to WordPress Core, and therefore featured in the next release of WordPress.

If so, it is recommended to create a new Trac ticket and submit a pull request to the WordPress Core Github repository soon after this pull request is merged.

If you're unsure, you can always ask for help in the #core-editor channel in WordPress Slack.

Thank you! ❤️

View changed files
❔ lib/compat/wordpress-6.5/fonts/class-wp-font-utils.php
❔ lib/compat/wordpress-6.5/fonts/class-wp-rest-font-faces-controller.php
❔ lib/compat/wordpress-6.5/fonts/class-wp-rest-font-families-controller.php
❔ phpunit/tests/fonts/font-library/wpRestFontFacesController.php
❔ phpunit/tests/fonts/font-library/wpRestFontFamiliesController.php
❔ phpunit/tests/fonts/font-library/wpFontUtils/sanitizeFontFamily.php

@matiasbenedetto matiasbenedetto mentioned this pull request Feb 2, 2024
Closed
25 tasks
@creativecoder creativecoder force-pushed the update/font-family-face-sanitization branch from 5d6adce to bbf195c Compare February 2, 2024 19:14
@creativecoder creativecoder marked this pull request as ready for review February 2, 2024 22:18
@creativecoder
Copy link
Contributor Author

This should be ready for a review.

@creativecoder creativecoder added REST API Interaction Related to REST API and removed [Status] In Progress Tracking issues with work in progress labels Feb 2, 2024
@creativecoder creativecoder changed the title Sanitize font family and face properties when creating or updating via REST API Font Library REST API: sanitize font family and font face settings Feb 2, 2024
@creativecoder creativecoder force-pushed the update/font-family-face-sanitization branch from b598513 to a93a409 Compare February 2, 2024 23:04
@youknowriad youknowriad merged commit 09b6744 into trunk Feb 5, 2024
57 checks passed
@youknowriad youknowriad deleted the update/font-family-face-sanitization branch February 5, 2024 08:40
@github-actions github-actions bot added this to the Gutenberg 17.7 milestone Feb 5, 2024
@creativecoder creativecoder mentioned this pull request Feb 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@youknowriad youknowriad youknowriad approved these changes

@pbking pbking Awaiting requested review from pbking

@matiasbenedetto matiasbenedetto Awaiting requested review from matiasbenedetto

@ironprogrammer ironprogrammer Awaiting requested review from ironprogrammer

@anton-vlasenko anton-vlasenko Awaiting requested review from anton-vlasenko

@spacedmonkey spacedmonkey Awaiting requested review from spacedmonkey spacedmonkey is a code owner

Assignees

@creativecoder creativecoder

Labels
[Feature] Font Library REST API Interaction Related to REST API [Type] Security Related to security concerns or efforts
Projects
None yet
Milestone
Gutenberg 17.7
Development

Successfully merging this pull request may close these issues.
2 participants
@creativecoder @youknowriad